feat(fal): add SSH lease provider#693
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 9, 2026, 10:54 AM ET / 14:54 UTC. Summary Reproducibility: not applicable. this is a new provider PR rather than a broken existing behavior report. Source and release checks show current main and v0.36.0 do not already contain fal support. Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Land the provider only after removing the release-owned changelog edit and either posting redacted exact-head live lifecycle proof or getting an explicit maintainer waiver for that funded-provider gate. Do we have a high-confidence way to reproduce the issue? Not applicable; this is a new provider PR rather than a broken existing behavior report. Source and release checks show current main and v0.36.0 do not already contain fal support. Is this the best way to solve the issue? Mostly yes; the direct SSH-lease implementation matches the linked provider request and Crabbox's provider architecture. The safer merge path is to keep the implementation but require proof or a maintainer waiver before accepting the billable lifecycle. Full review comments:
Overall correctness: patch is correct AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against e5b1f2f54691. Label changesLabel justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (12 earlier review cycles; latest 8 shown)
|
|
Context on the Go CI timeout update in The first red Go run was a real static-analysis issue, not runtime: After that fix, the next Go run passed the earlier gates: formatting, To verify the diagnosis before changing CI, I ran the same coverage command locally. It completed successfully with Result: the replacement GitHub Actions run passed: https://github.com/openclaw/crabbox/actions/runs/28198853668. The Go job passed in 14m17s, including Deadcode, Test, Test all Go modules, Coverage, and Build: https://github.com/openclaw/crabbox/actions/runs/28198853668/job/83532759285. |
605caed to
d9e9bd3
Compare
a6d24f5 to
5a030ef
Compare
Add fal provider registration, env-only credential loading, non-secret configuration, and a schema-backed Compute API client skeleton. Keep fal lifecycle support out of the advertised run surface until the PLAN-02 backend wires acquire/list/release behavior.
Restore PLAN-01's advertised fal surface to an SSH lease provider with ssh, crabbox-sync, and cleanup capabilities. Keep lifecycle behavior deferred behind explicit PLAN-02 errors so discovery matches the plan without silently performing unsupported resource operations.
Implement fal Compute lease acquire, resolve, list, touch, release, and cleanup flows with local-claim ownership checks.\n\nAdd offline lifecycle tests for rollback, recovery claims, status-only resolve, persisted SSH endpoints, and destructive-operation safeguards.
Document the direct fal Compute SSH lease provider, add provider matrix metadata, and regenerate the provider category surfaces. Add an opt-in live smoke script with no-live defaults, credential gating, classified external blockers, redaction, cleanup attempts, and dispatcher coverage.
Build the acquired fal lease target after the SSH readiness probe so fallback port discovery is reflected in the returned lease as well as the persisted claim. Add regression coverage for a configured SSH port corrected by the readiness probe.
Retry ambiguous fal Compute creates with the same lease idempotency key before proceeding so a recoverable provider id is required for local claim ownership. Avoid persisting empty-provider-id recovery claims when idempotent reconciliation cannot return a fal instance id, and cover both retry success and retry failure paths.
Drop the unused fal inventoryDoctorResult wrapper so the CI deadcode gate passes.
5a030ef to
81d72c3
Compare
# Conflicts: # docs/providers/README.md # internal/cli/credential_provenance.go
Closes #694
Summary
Adds a direct fal Compute SSH lease provider with Crabbox-managed SSH and sync support, local-claim-owned cleanup, and the
fal-aialias.This also adds fal provider docs, provider matrix metadata, benchmark category generation, and an opt-in guarded live smoke script that defaults to no live provider mutation unless
CRABBOX_LIVE=1and fal is selected.Lifecycle safety
Idempotency-Keyheader with the Crabbox lease ID for creates.--keepexplicitly owns a failed-acquire recovery claim.billing_blocked, with regression coverage, instead of reporting them as generic validation failures.Verification
7c54ce304c9379e78f6fb11a482552b384228ee8main; generated provider metadata and docs checks pass.go vet ./...go test -race ./...go test -race ./internal/providers/fal ./internal/cli -run 'Fal|fal|RunStopCommandRedactsProviderURLUserinfo|LeaseOptionsFromConfigCanonicalizesProviderScope' -count=1go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./...— no unreachable functionsbash -n scripts/live-fal-smoke.shnode --test scripts/live-fal-smoke.test.js scripts/live-smoke.test.js(68 passing)./scripts/check-docs.sh(54 command docs, 74-provider matrix, 214 Markdown files, docs-site build)git diff --checkThe rebased candidate also fixes the default 1x H100 create path: it no longer sends the 8x-only
sectorfield, even when stale configuration supplies one.Authenticated live gate
doctorand inventory listing passed with a temporary admin-scoped test key.billing_blocked; exact post-attempt inventory was empty, so no funded resource or lease residue exists.Keep this pull request unmerged until the exact candidate completes real create, SSH/use, destroy, and zero-residue proof, or that item-specific funded-provider gate is explicitly waived.